Enterprise Security -> Customizing Incident Review...

cbschreiber · ‎04-12-2021

I'm wanting to add the short ID that one can generate for a notable in IR.

To the columns in Incident Review for our SOC to use.

However, I can't find the proper attribute name for this and it's not in the notable index, or in notable_xref_lookup or es_notable_events lookup.

Hoping someone can tell me what the correct "Short ID" attribute name is.

Also hoping someone can tell me how to force ES to create a Short ID for EVERY notable.

Thanks in Advance!

daventura · ‎01-10-2023

under incident review settings table attributes enter

notable_xref as the field and Short ID as the title

Also you should schedule a search to run every 5 minutes */5 * * * *

to automatically create the short id's, this is most helpful

`notable`
| where isnull(notable_xref)
| eval notable_time=_time, xref_label="Short ID", xref_name="short_id", xref_id="V".substr(upper(md5(event_id)), 0, 5)
| table event_id, notable_time, xref_id, xref_label, xref_name
| outputlookup append=t notable_xref_lookup

Enterprise Security -> Customizing Incident Review -> Adding Short ID

access control

other

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor